X-Ways Software Technology heeft versie 16.5 van WinHex uitgebracht. WinHex is niet alleen een universele hexeditor, maar is ook in staat om low-level-dataprocessing toe te passen via een gemakkelijke interface. Het programma beschikt onder meer over een ram-editor, een data-interpreter en een disk-editor, en kan bijvoorbeeld worden gebruikt om verwijderde informatie terug te halen of om bestanden te inspecteren. WinHex werkt op alle Windows-versies vanaf Windows 2000 en is verkrijgbaar in verschillende versies, met prijzen vanaf ongeveer veertig euro. In deze release zijn de volgende veranderingen en verbeteringen doorgevoerd:
File Format Support
- Ability to view browser SQLite databases after generating previews for them using a new option in Specialist | Refine Volume Snapshot | Extract internal metadata, browser history and more. This requires that the files have been checked for their true file type (or are checked at the same time). Supports Firefox history, Firefox downloads, Firefox form history, Firefox sign-ons, Chrome cookies, Chrome archived history, Chrome history, Chrome log-in data, Chrome web data, Safari cache, and Safari feeds, also Skype's main.db database with contacts and file transfers.
- Ability to view Internet Explorer index.dat files after generating previews for them with the same function.
- A permanent preview can now be generated for $UsnJrnl:$J as part of metadata extraction, so that it does not have to be generated on demand when viewing or previewing this journal, which can be potentially time-consuming for large specimen (potentially several GB).
- Ability to generate permanent previews as child objects also for Windows Event Logs (.evt and .evtx).
- The previews are stored in the volume snapshot as child objects, usually in HTML format. These child objects can not only be used internally by X-Ways Forensics for previews of the parent file. You can also view all of them in an external program such as your preferred browser or in MS Excel, by sending these child object to the program of your choice (directory browser context menu). The existence of HTML child objects with searchable text for browser data, event logs and probably more data sources in future releases also improves effectiveness of logical searches and indexing.
- Ability to split HTML tables in the previews of browser databases and event logs after an arbitrary number of rows. You can set this number much higher if you do view the HTML previews externally with your preferred Internet browser and not with the viewer component, which cannot deal with very large tables.
- Ability to view Outlook NK2 auto-complete files, Outlook WAB address books, and Internet Explorer travellog files (a.k.a. RecoveryStore).
- Automatic highlighting of aligned FILETIME values in Disk/Partition/Volume and File mode. Useful when manually inspecting files of various Microsoft formats which may contain more timestamps than can be automatically extracted (try e.g. with index.dat, registry hives, .lnk shortcut files etc. etc.). If the lower half of a data window has the focus and FILETIME values are highlighted, you may also hover the mouse cursor over such a value to get a human readable interpretation of the timestamp. Alternatively, of course, you could get it from the data interpreter if you click the first byte of the value.
- Ability to extract metadata from MS Access database files.
- Metadata extraction from Manifest.mbdx and Manifest.mbdb iPhone backup files.
- Registry report definition files revised. New definition file Reg Report Autorun.txt included.
- Automatic extraction of .lnk shortcut files from automaticdestinations-ms jump lists during volume snapshot refinement.
- Improved ability to deal with corrupt .evtx event log files.
File System Support
- New method for the extraction of e-mail messages and attachments from MSG files, which does not require MAPI.
- Revised extraction of e-mail messages and attachments from DBX and MBOX e-mail archives.
- Revised extraction of attachments from original .eml files.
- PST e-mail extraction slightly improved and completed.
- Ability to select the new extraction methods individually for PST, MSG, DBX, MBOX, and EML. The old extraction method for PST and MSG is a method previously described as "MAPI". The new method for PST was introduced long ago already and is the recommended standard setting. The new methods for all other file types are new to v16.5. The old extraction methods will probably not be offered any more in future versions of X-Ways Forensics.
- Preview available for Outlook Express DBX e-mail archives.
- Support for MBR LVM2 and GPT LVM2 partitioned disks as commonly used by Fedora/Red Hat and also available in Debian and Ubuntu. Single-disk approaches (like the default behaviour when installing Fedora on an ordinary hard disk) and spanned volumes (i.e. logical volumes spanning several physical disks) are supported, the latter require all constituent disks/images to be open in X-Ways Forensics in order to find all data required.
- Ability to reconstruct Linux software RAIDs from partitions. The partitions need to be opened before they can be selected.
- Support for various UDF file system versions and specialties revised and considerably extended: Improved support for UDF when used on media other than optical discs, as well as added support for virtual partitions, metadata partitions, and named streams (the UDF equivalent of alternate data streams from NTFS).
- NTFS FILE record 0x30 attribute timestamps are now displayed in Details mode next to their 0x10 counterparts.
- Fix for NTFS support for media with a sector size of 4096 bytes.
- Ability to recognize the new ReFS file system as such.
- The volume snapshot option "Include files whose clusters are unknown" has turned into one of the infamous 3-state options. If fully checked, all previously existing files of which metadata only is known will be included in a volume snapshot. If not checked at all, those files will be ignored. If half checked, only files for which more than just the name is known (e.g. size, attributes, and timestamps) will be included, e.g. found in index records in INDX buffers or in $LogFile in NTFS, but not directory entry remnants in Ext* or Reiser file systems.
X-Tensions API (details)
- Support for VMDK snapshot images. The base image and any preceding snapshot images have to be open and interpreted already when interpreting a later snapshot.
- Fixed inability to read from flat VMDK images. Ability to interpret certain VMDK images that previous v16.5 releases could not deal with.
- Ability to create evidence file containers from File | Create Disk Image where some new users may expect that kind of functionality. (X-Ways Forensics only, not WinHex)
- The field to include notes in an .e01 evidence file when creating an image is now larger and allows to use line breaks. Useful if you wish to use it for more information and structure the notes more clearly.
- C++ function definitions for the X-Tensions API are now available for download.
- A plug-in to run Python scripts as X-Tensions can now be downloaded from the X-Tension API web page, along with sample scripts. Also a minimal Python installation is downloadable.
- An X-Tension that during a simultaneous search uses the Luhn algorithm to check sequences of digits for whether they could be credit card numbers (and discards false hits) is now available in 32 bit and 64 bit. When more users create and share their own X-Tensions as we hope, we will create a dedicated web page for X-Tension downloads.
- Ability to load X-Tension DLLs from any directory. By default, X-Ways Forensics expects X-Tension DLL in the directory for scripts and templates.
- Only selected X-Tensions will be executed, not all X-Tensions that were added to the list.
- 7 important new functions were added:
- XT_ProcessSearchHit now receives a handle of the item or volume in which a search hit was found, for optional further reading.
- New functionality was added to the XWF_SetItemInformation function.
- More return values for XT_Prepare supported.
- New flag for XWF_OutputMessage function.
- Last parameter in XWF_GetItemInformation API function fixed.
File Header Signature Search
- When starting volume snapshot refinements, simultaneous searches or indexing, most other functionality now remains accessible and usable. The directory browser, the case tree and all other user interface elements including all menus remain reasonably responsive most of the time. That means for example you can continue to view files, enter comments about them, add them to report tables, explore directories, activate or deactivate filters, sort files, print files, open and close other evidence objects. BTW, there is an option to minimize the small progress indicator window if you right-click its caption.
- The option to power down or hibernate the computer after completion of imaging or disk cloning is now available in the progress indicator window, so that you can still see during the process whether you had selected it and so that you can still change your mind.
- Multiple dongles attached to the same computer (e.g. terminal server) are now supported, to allow for multiple simultaneous users at the same computer not only with multi-user dongles (cf. http://www.x-ways.net/forensics/dongle.html). Each user can select which dongle to use when starting up the software. The ID of the dongle that he or she had used last will be preselected. The textual notes that are stored in the dongles, if any, will also be displayed to make it easier to identify the right dongle.
- If the only filter that is active is the "naturally active" filter that causes hidden items not to be listed, and when items that are hidden are actually filtered out in the directory browser, then the additional filter icons that indicate an active filter are now displayed in gray, no longer in glaring blue, to reinforce the notion that is it normal that hidden items are not listed and nothing else is filtered out.
- Options in Name filter dialog clarified.
- Path filter extended. Multiple substrings (one per line) are now permitted, and there is a NOT option.
- Virtually attached files now have a paperclip icon.
- Pressing the backspace key and spacebar now work in the case tree.
- File header signature search: That the start sectors of files that are already known to the volume snapshot are always excluded from file carving is now optional. Of course, X-Ways Forensics still tries to prevent duplicates, but if the file header signature definition or the internal file size detection is strong enough to suggest that a known deleted file was overwritten with a new file, then that new file will be carved although it shares the same start sector with the known file.
- If you intentionally abort the file header signature search or if the file header signature search causes X-Ways Forensics to crash, next time when you start a file header signature search in the same evidence object, you will find an option to resume it right where you had interrupted it, or where it was when the volume snapshot was last saved before the crash occurred (depends on the auto-save interval of the case).
- Ability to only include associations with user-created report tables in evidence file containers, not those created by X-Ways Forensics itself. To make use of this feature, make sure that the option to export report table associations is only half checked when you create a container. This is now also the new default setting.
- Ability to use the General Position Manager in File mode.
- Fixed error that occurred when sorting by the ST# column.
- One more option for the Internal ID filter.
- Many minor improvements.